Fraud prevention: Improving internal controls

Internal fraud controls aren't fire-and-forget. Smart collaboration and ongoing improvement will help keep fraud in check. Here are the basics.

There are several keys to effective fraud prevention, but some of the most important tools in the corporate toolbox are strong internal controls. Equally important, though, are the company's attitude towards fraud, internal controls and an ethical organizational culture. While ethical culture is driven by senior management's control environment ("tone at the top"), buy in from the company's Board of Directors and Audit Committee are also essential in promoting an ethical and transparent environment.

The focus of this article is on strengthening internal controls. According to the Committee of Sponsoring Organizations (COSO),

Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations.

Internal controls should not be thought of as "static." They are a dynamic and fluid set of tools which evolve over time as the business, technology and fraud environment changes in response to competition, industry practices, legislation, regulation and current economic conditions.

Missing checks and disappearing funds: Take an exclusive look inside the Anatomy of a fraud

While no company, even with the strongest internal controls, is immune from fraud, strengthening internal control policies, processes and procedures definitely makes companies a less attractive target to both internal and external criminals seeking to exploit internal control weaknesses.

More practical advice on fraud prevention

Strengthening internal controls is seldom accomplished by enhancing one process; rather it involves a comprehensive review of the risks faced, the existing internal controls already in place and their adequacy in preventing fraud from occurring. An internal control review may be conducted corporate-wide or on a location by location basis, or broken down to the individual business unit level. Generally, a review of this nature involves an in depth examination of people, processes and technology. However, there are other intangibles your organization can not afford to overlook.

Audit Interaction

The first part of strengthening internal controls involves changing the attitude some employees have towards auditors. While it is easy to view auditors as the police department's "Internal Affairs" group—whose sole responsibility it is to ferret out wrongdoing—identifying employees who are breaking the rules, personal and professional success is to be had by viewing auditors as key partners and allies in the battle against fraud. This is further reinforced as the auditor's role ensures that he or she is always at the forefront of corporate policies, practices, procedures, technology, new products and services, making auditors a valuable source of corporate information.

Secondly, part of strengthening internal controls is simply a matter of defining, or clarifying, ownership roles and responsibilities.

A common misperception among corporate employees is that internal controls are solely the responsibility of the company's Audit Department. While internal auditors measure the effectiveness of internal control through their efforts, they don't generally assume ownership. They assess whether the controls are properly designed, implemented and working effectively and make recommendations on how to improve internal control.

According to the Institute of Internal Auditors (IIA), "responsibility for the system of internal control within a typical organization is a shared responsibility among all the executives, with leadership normally provided by the CFO."

Companies with strong internal controls (policies, processes and procedures) view the process holistically and find a team approach valuable. An effective team environment encompasses members from a variety of different business units and disciplines and may include representatives from: Human Resources, Compliance, Investigations, Audit, General Counsel's Office, Senior Management, and Security (Information and Physical).

Also see Enterprise risk management: Get started in six steps (free Insider registration required)

To manage the process effectively, individual departments work together in an interactive manner. Working together increases issue awareness, strengthens communication, reduces opportunity for fraud and ensures a more comprehensive and robust internal control process.

Failure to work together may have consequences as indicated by this example:

A finance company utilizing more of an individually owned internal control process discovered an employee theft. Before making other key stakeholders aware of the theft, the department immediately acted on the information and confronted the suspect employee. While the employee ultimately admitted to the theft as was known at the time, the failure to bring other departments into the equation had significant long term impact. Post-investigation research and forensic analysis ultimately determined that the employee was part of an organized ring. Not only were funds stolen, but so was personally identifiable information (PII) which may have been used to commit identity theft outside the corporation. While the investigation should have been driven exclusively by the investigations department, the magnitude and scope of the operation would have been identified earlier had the appropriate individuals been involved at the outset of the incident under a uniform internal control group with clear lines of responsibility and authority.

So, the question is: what are the best practices used to get people to cooperate in a group like this? While it would be easy to say that there's a best practice standard for getting different managers, executives and business unit leaders to the table to agree on internal control protocols, ownership and responsibilities, unfortunately given the differing cultures and operating dynamics in each company, there isn't a "one size fits all" solution that is going to work uniformly for every company.

However, from my experience, a "top down" approach involves the formation of an internal controls working group, headed by the audit department with the support of the audit committee. This works in many companies, especially as there is accountability under Sarbanes Oxley to the audit committee and the company's board of directors. While some business unit leaders naturally resent being told what to do, what processes to implement, and how to implement them, eventually most will comply given the regulatory and internal reporting environment mandating that certain steps are taken. It is possible to avoid the resentment through good old fashioned relationship-building, where you bring multidisciplinary teams together willingly under the auspices of tightening internal controls and building a stronger company.

Communication

One way to strengthen internal controls is by improving the communication process. I've seen countless situations where key stakeholders are unaware of major events occurring within a corporation or business unit. This is problematic as there is no opportunity for management to fix something that they're unaware is broken. Regular interaction and communication between departments is paramount in this process.

Communication protocols must be established and agreed upon enterprise wide. Critical incident event distribution notification processes and procedures must be in place to ensure everyone is aware of an incident and understands what their defined roles are when the incident occurs.

Part of incident awareness lies with the ethics, hotline and event notification systems being used by the corporation pursuant to Sarbanes Oxley requirements. Many industry professionals have experience with the operation of ethics and compliance hotline systems but not all incidents are reported through these compliance mechanisms. One of the key questions surrounds how companies notify key stake holders when an event occurs outside the ethics or compliance system? While this communication often falls under a first responder type program, it is imperative that companies have defined processes and communication protocols in place to notify the key management employees who "need to know."

An effective notification system operates over a central server, delivers event messaging to predefined employees in "real time," as the event occurs, and is sent directly to the employees and their smart devices. This level of event notification ensures that the people who need to know about an incident are made aware in a timely manner and fosters immediate and unified response as required.

While many companies either utilize in-house resources or contract with a vendor to provide these ethics, code of conduct and incident reporting services, an increased number of system reports generally assist in strengthening internal controls as it provides more opportunities to evaluate reported events and corresponding internal control deficiencies.

One of the methods to strengthen the internal controls associated with this process involves evaluation of the communication protocols used to promote the ethics hotline, employees awareness of the hotline tool, how to access it and ways to use it effectively. According to the 2010 ACFE Report to the Nation, frauds are most likely to be detected through a tip than by any other means. This process may be strengthened through increased promotion of the hotline in company mailings, internal communications, newsletters and company website.

While not all calls to the ethics hotline are indicative of an internal control weakness or fraud, the ones that are demand increased scrutiny to determine root cause analysis. Once the root cause has been determined, there is an opportunity to strengthen internal controls if a control was either exploited or nonexistent.

Segregation of Duties

One area where many companies can significantly strengthen their internal controls involves segregation of duty policies and this is often considered the "primary internal control." It is imperative that there are adequate segregation of duties involving custody, authorization and control of source documents and records. E.g. one person should not have the sole authority to initiate a transaction, authorize or approve a transaction and complete the transaction without appropriate sign off processes and differing levels of management approval. The lack of proper segregation of duty policies is most often the root cause of many fraud and theft events in companies without strong internal controls in this area.

Also see Separation of duties and IT security

There have been so many examples of fraud committed directly as a result of a company's failure to segregate duties that it's not necessary to focus solely on one. Rather, it's important to examine the common themes which contribute to these frauds. Generally, the fraud usually occurs in a finance area; involves someone with unsupervised control over company funds and documents (checks) and access to banking accounts for deposits and withdraws; there is no segregation of duties and the fraud occurs in companies with lax internal controls. So, for example a bookkeeper is able to write a check to himself without worrying about being detected.

Using established fraud prevention best practices, financial duties (cash disbursements) should always be segregated amongst multiple employees. This usually means that there are multiple employees involved in the financial process with oversight at several places in the process. This ensures that one employee cannot manipulate the entire process and increases awareness amongst employees that someone is not only looking, but conducting random audits to reconcile financial transactions. Check stock should be controlled and secured, secondary levels of management approval and dual signatures on checks and payment authorization on amounts over pre-established financial levels should be required. Further, all employee should have individual financial transactional levels established which vary according to their management levels, or position of authority, business unit needs and ability to obligate the business to a financial commitment.

Checks are not the only area of concern. The same type of internal controls should be in place for company credit cards and electronic payment tools. It would be just as easy for one employee with complete responsibility for accounts payable to fraudulently wire money outside the company or establish fraudulent electronic payments without the proper level of oversight and control. Segregation of duties in this area would also prevent an employee from creating "phantom" vendor accounts, false invoices and making payments against those invoices without additional verifications in place.

Lessons Learned

While no company wants to experience internal or external fraud events, victimization may have long term corporate anti-fraud benefits if all departments have comprehensive incident handling protocols and the incident is handled appropriately after the fact.

1 2 Page
Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies